XML Injection (aka Blind XPath Injection)

CVE-2026-41672

High

8.7/10

Summary

The package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue affects all xmldom versions and @xmldom/xmldom versions prior to 0.8.13 and 0.9.x versions prior to 0.9.10.

Attack Complexity: LOW
Attack Vector: NETWORK
User Interaction: NONE
Privileges Required: NONE

CWE-91 - XML Injection (aka Blind XPath Injection)

The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

References

Advisory

Advisory Timeline

Published Apr 22, 2026

XML Injection (aka Blind XPath Injection)

CVE-2026-41672

Summary

CWE-91 - XML Injection (aka Blind XPath Injection)

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS